EP2707989B1 - Device and method for generating keys with enhanced security for fully homomorphic encryption algorithm - Google Patents

Description

1. Field of the invention

The field of the invention is that of so-called fully homomorphic encryption devices.

More specifically, the invention relates to the implementation of operations and digital key generation processes for a homomorphic encryption algorithm implemented in microprocessors and this to provide a significantly higher level of security than the prior art.

The invention particularly relates to infrastructure and key generation devices.

2. Prior Art 2.1. Public key cryptography

Cryptographic processing of digital data often requires public key encryption.

In a public key encryption algorithm, the encryptor encrypts a message m using an encryption algorithm E into an encrypted c = E (PK, m), using a public key, denoted by PK .

The recipient of the message decrypts the encrypted c by applying a decryption function D such that m = D (SK, c) where SK is a secret key linked to the public key PK.

The public and secret keys (respectively PK and SK ) are generated using a probabilistic algorithm called key generation algorithm.

For example, famous public key encryption algorithms are the so-called RSA algorithm described in US Patent US 4,405,829 , or the Diffie-Hellman key exchange described in US Patent US 4,200,770 .

2.1. Fully homomorphic cryptography with public key

It is particularly interesting, for many practical applications, to have a Fully Homomorphic Algorithm with Public Key (APHCP).

In addition to algorithms E and D, an APHCP includes two other algorithms, ADD and MUL, having, for all messages m [1] and m [2], the following properties:

• m [1] × m [2] = D (SK, MUL (E (PK, m [1]), E (PK, m [2]))) • m [1] + m [2] = D (SK, ADD (E (PK, m [1]), E ( PK, m [2])))

It can be shown that even if the operations m [1] + m [2] and m [1] × m [2] are modulo 2 (ie "+" represents the logical operation of "or exclusive" and "×" stands for "and logic"), any complex data processing can be coded using these two operations alone.

• Des APHCP permettent par exemple d'effectuer des calculs sur les données médicales de patients présents dans une base de données sans pour autant avoir à révéler leur identité.
• Des APHCP permettent de connaître le nombre de voix obtenues par les candidats d'une élection sans que l'on dévoile l'identité des votants.
• Des APHCP permettent la création de protocoles de paiement anonymes.
• Des APHCP permettent la création d'un système de ventes où le montant des enchères resterait inconnu, afin d'éviter que le vendeur cherche la surenchère. Seul le montant le plus important serait dévoilé à la fin de la procédure.

APHCP applications are multiple:

• For example, APHCPs make it possible to perform calculations on the medical data of patients present in a database without having to reveal their identity.
• The APHCP make it possible to know the number of votes obtained by the candidates of an election without revealing the identity of the voters.
• APHCPs allow the creation of anonymous payment protocols.
• APHCP allow the creation of a sales system where the amount of auctions would remain unknown, to prevent the seller seeks outbid. Only the largest amount would be disclosed at the end of the process.

A first APHCP was published by Craig Gentry in D1 corresponding to the article entitled "Fully Homomorphic Encryption Using Ideal Lattices" published in the Proceedings of the Symposium 41 st ACM Symposium on Theory of Computing (STOC), 2009 . This method, which has a great complexity of implementation, a second method of APHCP, based on integer arithmetic, was proposed by Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan (vDGHV) in document D2 corresponding to the article entitled "Fully Homomorphic Encryption over the Integers" published in the proceedings of the EUROCRYPT'2010 symposium on pages 24 to 43 .

Documents D1 and D2 are incorporated by reference in the present description.

2.2. VDGHV method

In the method vDGHV, the method of generation G of secret and public keys begins by generating an odd number p corresponding to a secret key SK, called secret key vDGHV, and a public key PK, called public key vDGHV corresponding to a collection of numbers integers x [i] = q [i] × p + r [i] for i ranging from 0 to k, with q [i] and r [i] being random numbers meeting the constraints specified in document D2 .

The numbers x [i] are such that r [i] is small relative to x [i] (for example r [i] is a number of 80 or 100 bits).

One of the elements of the public key vDGHV, the element denoted x [0], has a peculiarity: for the element x [0] , the following initial condition must be observed: r [0] = 0.

• r est un nombre aléatoire de taille à peu près similaire à celle des r[i] (la différence pouvant par exemple être d'un bit ou deux) ;
• Z = x[1] e[1] + ... + x[k] e[k] où les e[i] sont des bits aléatoires (i.e e[i] = 0 ou 1 de manière aléatoire).

In order to encrypt (via algorithm E ) a bit m , the sender calculates: c = m + 2r + 2Z where:

• r is a random number of size roughly similar to that of r [i] (the difference may for example be a bit or two);
• Z = x [1] e [1] + ... + x [k] e [k] where the e [i] are random bits (ie e [i] = 0 or 1 randomly).

In order to decipher (via the algorithm D ) an encryption c, the receiver calculates: m = (c mod p) mod 2.

The implementation of operations ADD and MUL, uses the so-called " bootstrapping " technique (corresponding to a technique of statistical inference), known to those skilled in the art, and described in document D2.

2.3. Implementation of the method of generation G of vDGHV keys by a microprocessor communicating with a hardware random generator.

The method of generating the public key vDGHV, which has been mentioned previously, is implemented on a hardware device 10 whose hardware architecture is illustrated by the figure 1 .

A microprocessor 11 is connected to an input and a data output interface means 12, to a random generator 13 and to a memory 14 in which the microprocessor reads instructions encoding a program Pg implementing the generation method G vDGHV keys.

At startup, the microprocessor 11 starts reading the program Pg in the memory 14. When it is executed on the microprocessor 11, the program Pg generates the secret key SK corresponding to an odd number p, and the public key PK = x [0 ], ..., x [k].

Once the elements x [i] have been obtained, the program Pg instructs the microprocessor 11 to communicate the elements x [0],..., X [k] via the data input and output interface 12 to another device.

• Définir r[0]=0 ;
• Générer un nombre aléatoire impair p (correspondant à la clé secrète SK) ;
• Générer k nombres aléatoires r[i] notés r[1],...,r[k];
• Générer k+1 nombres aléatoires q[i] notés q[0], ...,q[k].

The method of generation G of vDGHV keys, illustrated by the figure 2 , implements the following steps (in any order):

• Define r [0] = 0 ;
• Generate an odd random number p (corresponding to the secret key SK );
• Generate k random numbers r [i] denoted r [1], ..., r [k];
• Generate k + 1 random numbers q [i] denoted q [0] , ..., q [k].

Then, a obtaining step is implemented in order to determine the elements x [i] = q [i] p + r [i] for i ranging from 0 to k defining the public key PK.

2.4. Disadvantages of the prior art.

The aforementioned G key generation method vDGHV has a security flaw.

Indeed, insofar as the secret key SK corresponding to the number p which is a random odd number, it is quite possible that this number p can be written as a product of prime factors: $$\mathit{p}\dot{=}\mathit{p}{\left[\mathit{1}\right]}^{\mathit{at}\left[\mathit{1}\right]}\times ...\times \mathit{p}{\left[\mathit{The}\right]}^{\mathit{at}\left[\mathit{The}\right]}\mathit{.}$$

Here, the numbers p [i] represent prime numbers and the integers a [i] represent powers, that is to say the number of times each p [i] appears in the secret key p.

It is known to those skilled in the art that methods for completely or partially decomposing p into prime factors exist. For example, a first method known as Lenstra's elliptic curve factorization makes it possible to extract certain prime factors from integers. This first method is described in the article of Lenstra Jr., HW "Factoring integers with elliptic curves." published in Annals of Mathematics (2) 126 (1987) pages 649-673 and incorporated by reference. A second method known as the generalized number field sizing factorization algorithm also makes it possible to obtain such a decomposition.

By applying such a factorization method to the public key x [0] = p × q [0] = q [0] × p [1] ^{α [1]} × ... × p [L] ^{α [L]} , a possible attacker could discover at least one factor p [j] entering the composition of p.

The attacker can then calculate the quantity t = x [1] mod p [j]. Indeed, t = x [1] mod p [j] = r [1] mod p [j].

1. 1. Si p[j] > r[1], alors t = r[1], et la clé secrète peut être déterminée directement en calculant p = PGCD(x[0],x[1]-t).
2. 2. Si p[j] < r[1], alors l'attaquant détermine la valeur t= r[1] mod p[j], ce qui lui permet de rechercher exhaustivement la valeur de r[1] plus rapidement. Dans ce cas, l'attaquant tentera de calculer la quantité PGCD(x[0],x[1]-t-p[j]×i) pour différentes valeurs de i jusqu'à ce que pour une certaine valeur de i l'opération PGCD(x[0],x[1]-t-p[j]×i) révèle la clé secrète SK correspondant au nombre impair aléatoire p.

From there, two scenarios can arise:

1. 1. If p [j] > r [1], then t = r [1], and the secret key can be determined directly by calculating p = PGCD (x [0], x [1] -t).
2. 2. If p [j] <r [1], then the attacker determines the value t = r [1] mod p [j], which allows him to search exhaustively for the value of r [1] more quickly. In this case, the attacker will attempt to compute the amount PGCD ( x [ 0 ], x [1] - t - p [j] × i ) for different values of i until for a certain value of i PGCD operation (x [0], x [1] -tp [j] × i) reveals the secret key SK corresponding to the random odd number p .

Thus, it was not obvious to those skilled in the art to detect and formulate this safety problem inherent in the use of the generation method. G of vDGHV keys. The invention is therefore at least in part a problem invention, corresponding to the detection of this security breach.

3. Objectives of the invention

The general object of the invention is to overcome at least certain disadvantages of the known technique of vDGHV.

More specifically, a first object of the invention is to provide a technique for generating secret and public resistant keys for the APHCP method of vDGHV described above.

Another objective of at least one embodiment of the invention is to provide a technique for increasing the security level of the keys used for encryption and decryption.

4. Presentation of the invention

It is proposed a method of generation of secret and public keys vDGHV enhanced security, implemented in a device comprising at least one microprocessor and a memory, characterized in that it comprises a step of generating a secret key SK corresponding the generation of a random number p difficult or impossible to factorize.

1. (a) Définir r[0]=0 ;
2. (b) Générer un nombre premier aléatoire p, qui est par définition impossible à factoriser ;
3. (c) Générer k nombres aléatoires r[i] notés r[1],...,r[k] ;
4. (d) Générer k+1 nombres aléatoires q[i] notés q[0],..., q[k] ;
5. (e) Former les éléments de la clé publique x[i] = q[i] p + r[i] pour i allant de 0 à k ;
6. (f) Retourner la clé publique {x[0], ...,x[k]} et la clé secrète p.

Such a method provides, according to a first embodiment, the key generation enhanced using the fully homomorphic public key encryption algorithm published in the document D2, modified to include the following steps:

1. (a) Define r [0] = 0 ;
2. (b) Generate a random prime number p , which is by definition impossible to factorize;
3. (c) Generate k random numbers r [i] denoted r [1], ..., r [k];
4. (d) Generate k + 1 random numbers q [i] denoted q [0], ..., q [k];
5. (e) forming the elements of the public key x [i] = q [i] p + r [i] for i ranging from 0 to k;
6. (f) Return the public key { x [0], ..., x [k] } and the secret key p.

Thus, this method allows an increase in security due to the increased computational impossibility to find the value of p.

1. (a) Définir r[0]=0 ;
2. (b) Générer un nombre aléatoire p difficile à factoriser ;
3. (c) Générer k nombres aléatoires r[i] notés r[1], ...,r[k] ;
4. (d) Générer k+1 nombres aléatoires q[i] notés q[0], ...,q[k] ;
5. (e) Former les éléments de la clé publique x[i] = q[i] p + r[i] pour i allant de 0 à k;
6. (f) Retourner la clé publique {x[0], ...,x[k]} et la clé secrète p.

In a variant, there is provided a reinforced key generation method for the fully homomorphic public key encryption algorithm published in document D2, modified to include the following steps:

1. (a) Define r [0] = 0 ;
2. (b) Generate a random number p difficult to factorize;
3. (c) Generate k random numbers r [i] denoted r [1], ..., r [k] ;
4. (d) Generate k + 1 random numbers q [i] denoted q [0], ..., q [k] ;
5. (e) forming the elements of the public key x [i] = q [i] p + r [i] for i ranging from 0 to k ;
6. (f) Return the public key { x [0], ..., x [k]} and the secret key p.

A random number p difficult to factorize is a number whose size and composition is chosen so that the factorization operation (which has an exponential complexity in terms of computation time and memory resources) is unattainable by an attacker.

In another embodiment, there is provided a computing device having a microprocessor connected to a data input and output interface means, a random generator and a memory of which said microprocessor reads the instructions encoding a inventive key generation program operating according to any of the methods described above.

5. List of figures

The hardware key generation device of the prior art method vDGHV is described in FIG. figure 1 .

The main steps of the generation method G of vDGHV keys are described in the figure 2 .

The figure 3 presents steps of a key generation method G ', according to one embodiment of the invention.

6. Description of the invention

The inventive generation of elements x [i] of the PK security public key for a vDGHV type algorithm on a hardware architecture is performed as follows.

The hardware architecture of the device according to the invention (not shown) incorporates the elements of the hardware architecture of the device 10 of the prior art described in FIG. figure 1 that is, a microprocessor 11 connected to an input and a data output interface means 12, to a random generator 13 and to a memory 14 from which the microprocessor 11 reads the encoding instructions implementing the generation method G keys according to one embodiment of the invention.

The key generation method G 'differs from the key generation method G previously described by the step of generating the secret key.

At startup, the microprocessor 11 generates the secret key p according to one embodiment of the invention, and the corresponding elements x [0], ..., x [k] of the public key.

Once the elements x [i] have been generated, the device according to the invention transmits the elements x [0], ..., x [k] to another device via the input and output interface of data 12.

• Définir r[0] = 0 ;
• Générer un nombre aléatoire p difficile ou impossible à factoriser ;
• Générer k nombres aléatoires r[i] notés r[1],...,r[k] ;
• Générer k+1 nombres aléatoires q[i] notés q[0],...,q[k].

The figure 3 presents steps of a key generating method G 'according to one embodiment of the invention:

• Define r [0] = 0 ;
• Generate a random number p difficult or impossible to factorize;
• Generate k random numbers r [i] denoted r [1], ..., r [k] ;
• Generate k + 1 random numbers q [i] denoted q [0], ..., q [k] .

Note that these steps can be performed in any order.

Then, a obtaining step is implemented in order to determine the elements x [i] = q [i] p + r [i] for i ranging from 0 to k defining the public key PK.

According to a first embodiment, the secret key SK corresponding to the number p is a secret prime number. The mode of generating such secret prime numbers p is known to those skilled in the art and is for example used to generate secret keys for the RSA algorithm.

According to a second embodiment, the secret key SK corresponding to the number p is a product of prime numbers which is such that the product is difficult to factorize. The mode of generating such numbers p is known to those skilled in the art and is for example used to generate public keys for the RSA algorithm.

In both cases, the sizes of the parameters p, q [i] and r [i] follow the same recommendations as those described in the document D2 .

Moreover, any of the variants of the method according to the invention, described above, can also be implemented as hardware in a programmable component of the FPGA (Field Programmable Gate Array) type or ASIC type ( Application-Specific Integrated Circuit ".

Claims (6)

1. Method for generating secret and public keys, obtained by means of a fully homomorphic public-key encryption algorithm based on arithmetic over the integers, called vDGHV secret keys and public keys, with enhanced security, implemented in a device comprising at least one microprocessor (11) and a memory (14), characterized in that it comprises a step for generating a secret key SK corresponding to a random prime number p, or product of prime numbers, whose size and composition is chosen so that the factoring operation of said random number p is unrealizable by an attacker.
2. Method for generating keys according to claim 1 characterized in that it comprises the following steps:

   (a) defining r[0]=0;

   (b) generating said secret key SK corresponding to said random number p;

   (c) generating k random numbers r[i] denoted as r[1],...,r[k];

   (d) generating k+1 random numbers q[i] denoted as q[0],...,q[k];

   (e) forming said elements of the public key x[i] = q[i] p + r[i] for i ranging from 0 to k;

   (f) returning said public key PK = {x[0],...,x[k]} and the secret key SK = p.
3. Device comprising at least one microprocessor (11) connected to a data input and output interface means (12), a random generator (13) of secret and public keys, obtained by means of a fully homomorphic public-key encryption algorithm based on arithmetic over the integers called vDGHV secret keys and public keys, with enhanced security, and a memory (14) in which said microprocessor implements means for generating a secret key SK corresponding to a random prime number p, or product of prime numbers, of large size, whose size and composition is chosen so that the factoring operation of said random number p is unrealizable by an attacker.
4. Device according to claim 3 characterized in that said microprocessor (11) implements means for generating a secret key SK corresponding to a random prime number p.
5. Computer program product comprising program code instructions for implementing the method according to at least one of the claims 1 to 2, when said program is executed on a computer.
6. Computer-readable and non-transitory storage medium comprising a set of instructions executable by a computer or a processor to implement the method according to any one of the claims 1 to 2.

Images